Managing cryptographic keys

You can use the CNM utility to manage the master keys, to manage primary key-encrypting keys (KEKs), to reset and manage data encryption standard (DES), public key algorithm (PKA), and advanced encryption standard (AES) key-stores. Key types are defined as follows:

• A master key is a special KEK stored in clear text (not enciphered) and kept within the coprocessor secure module. Three kinds of master keys are supported: DES, PKA, and AES. They are used to wrap other keys so that those keys can be stored outside of the secure module. DES and PKA master keys are 168-bit keys formed from three 56-bit DES keys. AES master keys are 256-bit keys.
• Primary KEKs are DES keys shared by cryptographic nodes and are sometimes referred to as transport keys. They are used to encipher other keys shared by the nodes. Primary KEKs, like the master key, are installed from key parts. Knowledge of the key parts can be shared in part by two people to effect a split-knowledge, dual-control security policy.
• Other DES keys, PKA keys, and AES keys are enciphered keys that are used to provide cryptographic services, such as media access control (MAC) keys, DATA keys, and private PKA keys.